package com.zenithmind.user.controller;

import lombok.RequiredArgsConstructor;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
import org.springframework.web.bind.annotation.*;

import java.time.Duration;
import java.util.UUID;

/**
 * OAuth2客户端管理控制器
 * 提供注册、查询OAuth2客户端的API
 * 仅管理员可访问
 */
@RestController
@RequestMapping("/api/oauth2/clients")
@RequiredArgsConstructor
public class OAuth2RegisteredClientController {

    private final RegisteredClientRepository registeredClientRepository;

    /**
     * 注册新的OAuth2客户端
     * @param clientDTO 客户端信息
     * @return 注册成功的客户端ID
     */
    @PostMapping
    public String registerClient(@RequestBody ClientDTO clientDTO) {
        RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                .clientId(clientDTO.getClientId())
                .clientSecret(clientDTO.getClientSecret())
                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                .redirectUri(clientDTO.getRedirectUri())
                .scope(OidcScopes.OPENID)
                .scope(OidcScopes.PROFILE)
                .scope(OidcScopes.EMAIL)
                .clientSettings(ClientSettings.builder()
                        .requireAuthorizationConsent(clientDTO.isRequireConsent())
                        .requireProofKey(false)
                        .build())
                .tokenSettings(TokenSettings.builder()
                        .accessTokenTimeToLive(Duration.ofHours(1))
                        .refreshTokenTimeToLive(Duration.ofDays(30))
                        .build())
                .build();

        registeredClientRepository.save(registeredClient);
        return registeredClient.getId();
    }

    /**
     * 客户端信息DTO
     */
    public static class ClientDTO {
        private String clientId;
        private String clientSecret;
        private String redirectUri;
        private boolean requireConsent;

        // Getters and setters
        public String getClientId() {
            return clientId;
        }

        public void setClientId(String clientId) {
            this.clientId = clientId;
        }

        public String getClientSecret() {
            return clientSecret;
        }

        public void setClientSecret(String clientSecret) {
            this.clientSecret = clientSecret;
        }

        public String getRedirectUri() {
            return redirectUri;
        }

        public void setRedirectUri(String redirectUri) {
            this.redirectUri = redirectUri;
        }

        public boolean isRequireConsent() {
            return requireConsent;
        }

        public void setRequireConsent(boolean requireConsent) {
            this.requireConsent = requireConsent;
        }
    }
} 